to be or not to be created
play

To Be or Not To Be Created Abstract Object Creation in Dynamic Logic - PowerPoint PPT Presentation

To Be or Not To Be Created Abstract Object Creation in Dynamic Logic Wolfgang Ahrendt 1 Frank S. de Boer 2 Immo Grabe 3 1 Chalmers University, G oteborg, Sweden 2 CWI, Amsterdam, The Netherlands 3 Christian-Albrechts-University Kiel, Germany


  1. To Be or Not To Be Created Abstract Object Creation in Dynamic Logic Wolfgang Ahrendt 1 Frank S. de Boer 2 Immo Grabe 3 1 Chalmers University, G¨ oteborg, Sweden 2 CWI, Amsterdam, The Netherlands 3 Christian-Albrechts-University Kiel, Germany Tallinn, 22/08/2012 Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  2. Part I Motivation and Outline Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  3. Modeling Object Creation in Program Logics Object-oriented programming languages (like Java): ◮ high-level way of creating objects ◮ abstract away from memory allocation ◮ programmer has no access to non-created (pre-)objects This abstraction not matched by program logics: ◮ constant domain assumption ◮ non-created objects included in quantification ◮ additional artifacts (ghost fields) to distinguish created objects ◮ consistency conditions on reachable states Because of mismatch: ◮ logics loose full abstraction property ◮ additional complexity in formulas and proofs ◮ symbolic state bloated by createdness information Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  4. Approach Taken ◮ a logic that can only ‘talk about’ created objects ◮ problem: calculus cannot ‘substitute’ new objects into pre-conditions ◮ solution: non-standard substitution using meta-knowledge about ‘newness’ ◮ carry over to symbolic execution paradigm Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  5. Simplifications for Presentation ◮ we examine object creation in simplified setting ◮ simplifications orthogonal to object creation ◮ scalable to full languages with abstract object creation Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  6. Part II Syntax and Semantics Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  7. A Simple Object-Oriented While Language ◮ only one class: Object ◮ 3 types: Object, Integer, Boolean ◮ no methods ◮ variables (e.g. u , v , w ) distinct from fields (e.g. x , y , z ) statements: s ::= while e do s od | s 1 ; s 2 | u := e | e 1 . x := e 2 | u := new expressions: e ::= u | e . x | null | e 1 = e 2 | op ( e 1 , ..., e n ) to separate issues object creation and aliasing: ◮ no native statement e . x := new ◮ can be simulated by u := new; e . x := u ( u fresh) Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  8. Hoare Logic dynamic logic (DL) + updates ◮ DL extends FOL by Hoare logic modalities ◮ { φ } p { ψ } [ p ] ψ , � p � ψ ◮ backward calculus: ◮ we add an “update” { φ } p { ψ e x } modality: { x := e } φ { φ } p ; x := e { ψ } (explicit substitution) ◮ forward calculus: Γ ⊢ { x := e } [ p ] ψ Γ ⊢ [ x := e ; p ] ψ Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  9. The Logic: Dynamic Logic with Updates ◮ expressions e , {U} e ◮ logical connectives ∧ , ∨ , → , ¬ ◮ quantified formulas ∀ l .φ , ∃ l .φ ◮ modal formulas (base cases): � s � φ , [ s ] φ , {U} φ ◮ U update of form: ◮ u := e ◮ e 1 . x := e 2 ◮ u := new Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  10. Semantics informal in this talk ◮ [ [ u := new] ] σ : create new object and assign it to u ◮ [ [ e ] ] σ ∈ set of objects existing in σ ◮ [ [ ∀ o .φ ] ] σ : φ holds for all objects existing in σ ◮ [ [ ∃ o .φ ] ] σ : φ holds for some object existing in σ e , o of type Object examples: ∀ o . � u := new �¬ ( u = o ) true in all states � u := new �∀ o . ¬ ( u = o ) false in all states Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  11. Part III Calculus Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  12. Dynamic Logic Rules � s 1 �� s 2 � φ ( e →� s 1 � φ ) ∧ ( ¬ e →� s 2 � φ ) split if � s 1 ; s 2 � φ � if e then s 1 else s 2 fi � φ � if e then s ; while e do s od else skip fi � φ unwind � while e do s od � φ { u := e } φ { e 1 . x := e 2 } φ assignVar assignField � u := e � φ � e 1 . x := e 2 � φ { u := new } φ createObj � u := new � φ Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  13. Update Application Rule for certain formulas {U} φ , and expressions {U} e , the U can be ‘applied’ (resolved) using rewrite relation � following slides: big-step definition of � Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  14. Part IV Update Application Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  15. Update Application: Standard Cases I ¬{U} φ � φ ′ {U} φ 1 ∗ {U} φ 2 � φ ′ {U} ( ¬ φ ) � φ ′ {U} ( φ 1 ∗ φ 2 ) � φ ′ with ∗ ∈ {∧ , ∨ , →} op ( {U} e 1 , ..., {U} e n ) � e ′ {U} α � α with α ∈ { true , false , null , l } {U} op ( e 1 , ..., e n ) � e ′ this slide: U matches all updates Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  16. Update Application: Standard Cases II { u := e } u � e { u := e } v � v ( { u := e 1 } e 2 ) . x � e ′ { u := e 1 } ( e 2 . x ) � e ′ u �≡ v ( ( { e . x := e 1 } e 2 ) = e ? e 1 : ( { e . x := e 1 } e 2 ) . x ) � e ′ { e . x := e 1 } ( e 2 . x ) � e ′ ( { e . x := e 1 } e 2 ) . y � e ′ { e . x := e 1 } ( e 2 . y ) � e ′ x �≡ y Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  17. Update Application: Restricted Standard Cases The standard rules for quantifiers and equality are restricted to non-creating updates U nc of the forms ‘ u := e ’ , ‘ e 1 . x := e 2 ’ . ( ‘ u := new’ excluded from these rules.) ∀ l . {U nc } φ � φ ′ {U nc } ( ∀ l . φ ) � φ ′ ∃ l . {U nc } φ � φ ′ {U nc } ( ∃ l . φ ) � φ ′ {U nc } e 1 = {U nc } e 2 � e ′ {U nc } ( e 1 = e 2 ) � e ′ Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  18. Object Creating Updates: the Issue note: ◮ ‘ {U} φ ’ is the (explicit) weakest precondition wp ( U , φ ) problem: ◮ result of { u := new } φ , i.e., wp ( { u := new } , φ ), cannot talk about the new object because it does not exist in pre-state ◮ in particular: { u := new } u � ? basic approach: ◮ totally avoid ‘ { u := new } u ’ ◮ observation: the only operations on objects are ◮ de-referencing fields ◮ test for equality ◮ quantification ◮ in all cases, wp computation can employ meta knowledge Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  19. Object Creating Update Application: Field Access ( { u := new } e ) . x � e ′ { u := new } ( e . x ) � e ′ e �≡ u { u := new } u . x � init T ( x ) init T ( x ) ≡ null | 0 | false Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  20. Object Creating Update Application: Equality ( { u := new } e 1 ) = ( { u := new } e 2 ) � e ′ { u := new } ( e 1 = e 2 ) � e ′ e 1 �≡ u , e 2 �≡ u { u := new } ( u = e ) � false e �≡ u { u := new } ( u = u ) � true Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  21. Object Creating Update Application: Quantifiers ( { u := new } φ ( u )) ∧ ∀ o . ( { u := new } φ ( o )) � φ ′ { u := new }∀ o .φ ( o ) � φ ′ ( { u := new } φ ( u )) ∨ ∃ o . ( { u := new } φ ( o )) � φ ′ { u := new }∃ o .φ ( o ) � φ ′ Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  22. Example Proof 1 ∗ closeFalse false = ⇒ notRight = ⇒ ¬ false � = ⇒ { u := new }¬ ( u = c ) assignVar = ⇒ � u := new �¬ ( u = c ) allRight = ⇒ ∀ o . � u := new �¬ ( u = o ) Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  23. Example Proof 2 ∗ closeTrue ∀ o . ¬ false = ⇒ true notLeft ¬ true , ∀ o . ¬ false = ⇒ andLeft ¬ true ∧ ∀ o . ¬ false = ⇒ � { u := new }∀ o . ¬ ( u = o ) = ⇒ assignVar � u := new �∀ o . ¬ ( u = o )) = ⇒ notRight = ⇒ ¬� u := new �∀ o . ¬ ( u = o ) Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  24. (applyUpd step in Example Proof 2) { u := new } ( u = o ) � false { u := new } ( u = u ) � true { u := new }¬ ( u = o ) � ¬ false { u := new }¬ ( u = u ) � ¬ true ∀ o . { u := new }¬ ( u = o ) � ∀ o . ¬ false { u := new }¬ ( u = u ) ∧ ∀ o . { u := new }¬ ( u = o ) � ¬ true ∧ ∀ o . ¬ false { u := new }∀ o . ¬ ( u = o ) � ¬ true ∧ ∀ o . ¬ false Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  25. Part V Abstract Object Creation in Symbolic Execution Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

  26. KeY-style Symbolic Execution up to here, backwards reasoning only KeY approach: forward symbolic execution using update parallelisation * close u < v = ⇒ u < v applyUpd u < v = ⇒ { w := u | u := v | v := u } v < u mergeUpd u < v = ⇒ { w := u | u := v }{ v := w } v < u assignVar u < v = ⇒ { w := u | u := v }� v := w � v < u mergeUpd,assignVar u < v = ⇒ { w := u }{ u := v }� v := w � v < u split,assignVar u < v = ⇒ { w := u }� u := v ; v := w � v < u split,assignVar u < v = ⇒ � w := u ; u := v ; v := w � v < u Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Recommend


More recommend